Parallel display of multiple graphical indicators representing differing search criteria evaluated across a plurality of events

ABSTRACT

A visualization can include a set of swim lanes, each swim lane representing information about an event type. An event type can be specified, e.g., as those events having certain keywords and/or having specified value(s) for specified field(s). The swim lane can plot when (within a time range) events of the associated event type occurred. Specifically, each such event can be assigned to a bucket having a bucket time matching the event time. A swim lane can extend along a timeline axis in the visualization, and the buckets can be positioned at a point along the axis that represents the bucket time. Thus, the visualization may indicate whether events were clustered at a point in time. Because the visualization can include a plurality of swim lanes, the visualization can further indicate how timing of events of a first type compare to timing of events of a second type.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims benefit as a Continuation of application Ser.No. 14/326,459, filed Jul. 8, 2014, which claims benefit as aContinuation of application Ser. No. 14/046,767, filed Oct. 4, 2013, nowU.S. Pat. No. 8,806,361, issued Aug. 12, 2014, which claims benefit ofU.S. Provisional Application Ser. No. 61/878,498, filed on Sep. 16,2013, and claims benefit of U.S. Provisional Application Ser. No.61/883,071, filed on Sep. 26, 2013, the entire contents of theaforementioned are hereby incorporated by reference as if fully setforth herein, under 35 U.S.C. §120. The applicant(s) hereby rescind anydisclaimer of claim scope in the parent application(s) or theprosecution history thereof and advise the USPTO that the claims in thisapplication may be broader than any claim in the parent application(s).

TECHNICAL FIELD

The present disclosure relates generally to time-synched visualizationsof events of a variety of types.

BACKGROUND

Businesses and their data analysts face the challenge of making sense ofand finding patterns in the increasingly large amounts of data of alltypes—big data—that such businesses generate and collect. For example,accessing computer networks and transmitting electronic communicationsacross them generates massive amounts of data, including such types ofdata as machine data and Web logs. Identifying patterns in this data,once thought relatively useless, has proven to have great value. In someinstances, pattern analysis can indicate which patterns are normal andwhich ones are unusual. Detection of the unusual patterns can allow acomputer system manager to investigate the circumstances and determinewhether a computer system security threat exists.

As another example, analysis of such data allows businesses tounderstand how their employees, potential consumers, and/or Web visitorsuse the company's online resources. Such analysis can provide businesseswith operational intelligence, business intelligence, and an ability tobetter manage their IT resources. For instance, such analysis may enablea business to better retain customers, meet customer needs, or improvethe efficiency of the company's IT resources.

Despite the value that one can derive from the underlying datadescribed, making sense of this data to realize that value takes effort.In particular, patterns in underlying data may be difficult to identifyor understand when analyzing specific behaviors in isolation, oftenresulting in the failure of a data analyst to notice valuablecorrelations in the data from which the business can draw strategicinsight.

SUMMARY

In accordance with the teachings provided herein, in some embodiments,systems and methods are provided for visualizing temporal informationpertaining to various types of events. The visualization can include aset of swim lanes, each swim lane representing information about anevent type (e.g., a set of events meeting specified criteria). Eachevent type may be defined by a query specifying criteria for theselection of events, such that events identified in response to thequery are defined as being of the event type. For example, an event typecan include those events having a particular keyword or keywords and/ora particular value or values for a given field or fields (e.g., an eventtype could include all events with a “POST” method or that contain thekeyword “POST”).

As described in greater detail below, the events for which visualizationmethods are provided herein can include any or all of the following: (1)time-stamped segments of raw data, unstructured data, or machine data(or transformed versions of such data); (2) the kinds of events analyzedby vendors in the Security Information and Event Management (“SIEM”)field; (3) any other logical piece of data (such as a sensor reading)that was generated at or corresponds to a fixed time (thereby enablingassociation of that piece of data with a time stamp representing thefixed time); and (4) occurrences where some combination of two or moreof any of the foregoing types of events either meets specified criteriaor was manually selected by a data analyst as notable or a cause for analert.

The swim lane may run along a time axis (such as a horizontal time axis)representing a fixed time period, thus enabling plotting representationsof the events of the type associated with the swim lane along the axisto indicate when such events occurred within the fixed time period thatthe axis defines. Specifically, each such event can be assigned to abucket having a bucket time that corresponds to the time that theevent's time stamp represents. Depending on the embodiment, each bucketmay be configured to have one, or to have more than one, event assignedto it. If a bucket has only one event, its bucket time may correspond tothe time stamp of the event that it contains; if a bucket has multipleevents, its bucket time may correspond to a time range encompassing thetime stamps of the underlying events in the bucket. A visual indicator,such as a color or color shade of the bucket, may indicate the number ofevents that a bucket represents, such as with lighter shades indicatingfew underlying events in a bucket and darker shades indicating manyunderlying events in the bucket.

As mentioned, a swim lane can extend along an axis in the visualization,and representations of the buckets can be positioned at a point alongthe axis that represents the bucket time. With the additional use ofcolor or shading to indicate the number of events that a bucketcontains, the visualization may indicate for each swim lane how closelytogether in time events that meet specified criteria (e.g., events of aparticular type) are clustered. Because the visualization can include aplurality of swim lanes, the visualization can further indicate howtiming of events of a first type compare to timing of events of a secondtype, enabling a data analyst to notice interesting correlations betweenthe timing of events meeting different criteria.

In some embodiments, a computer-implemented method is provided. Themethod includes receiving a selection of a time period through agraphical user interface. For each of a plurality of event types thatdefine criteria for selection of events, a set of events is identified.Each event in the set of events matches the event type. Each event inthe set of events is associated with an event time that is within thetime period. Further, for each of a plurality of event types that definecriteria for selection of events, each event in the set of events is toa bucket in a set of buckets. Each bucket in the set of buckets isassociated with a bucket time that is within a time range containing theevent times of all the events assigned to the bucket. Further, for eachof a plurality of event types that define criteria for selection ofevents, a swim lane is generated. The swim lane displays arepresentation of each bucket in the set of buckets at a position alonga timeline axis that reflects the bucket time. The generated swim lanesare displayed and are displayed to be parallel to each other. Therepresentation of a bucket in the set of buckets may be displayed in theswim lanes may also indicate a number of events assigned to the bucket.

The representation of a bucket in the set of buckets displayed in theswim lanes may use color or color shading to indicate a number of eventsassigned to the bucket. The representation of each bucket in the set ofbuckets displayed in the swim lanes may be of a same size. Each bucketin the set of buckets may contain only one event, and the bucket timefor the bucket may match the event time for the event assigned to thebucket. A plurality of events may be assigned to a bucket of theplurality of buckets.

In some instances, the method may further include receiving an inputcorresponding to an identification of a bucket of the set of bucketsrepresented in one of the generated swim lanes and displaying additionalinformation about one or more events assigned to the identified bucket.

In some instances, the method may also include receiving an inputcorresponding to an identification of a bucket represented in one of thegenerated swim lanes displaying at least a portion of one or more eventsassigned to the identified bucket. In some instances, the method mayalso include receiving input reflecting selection of a swim lane or abucket in a swim lane and displaying a drill-down view that providesfurther information about events in the swim lane.

In some instances, the method may also include receiving inputreflecting selection of a swim lane or a bucket in a swim lane anddisplaying a drill-down view based on a drill-down query different froma query used to select events for the swim lane. The generated swimlanes may be displayed in an order relative to each other. The methodmay further include receiving an input corresponding to anidentification of a new order for displaying the generated swim lanesdisplaying the generated swim lanes in the new order. A query mayinclude a search criterion corresponding to one of the plurality ofevent types, and the method may further include retrieving events forthe generated swim lane corresponding to the event type using the query.

In some instances, the method may also include displaying a userinterface for receiving a search criterion for a field that is definedby a data model; receiving the search criterion through the userinterface; receiving, through the user interface, an indication that thesearch criterion is to be used to generate a swim lane; generating aquery to retrieve events corresponding to the search criteria; and usingthe query to define the event type for the swim lane and to retrieveevents relevant to the swim lane.

In some instances, the method may further include periodically storingan intermediate summary. Each intermediate summary in a set ofintermediate summaries may summarize events of a same event type. Eachintermediate summary may be associated with a time range inclusive oftime stamps of the events summarized in the summary. The method may alsoinclude retrieving events from an intermediate summary of the set ofintermediate summaries to accelerate the generation of one of thegenerated swim lanes. The time period may include the time rangecorresponding to the intermediate summary.

In some instances, the method may also include receiving a globalconstraint specifying criteria that all events represented in displayedswim lanes are to meet. The displayed swim lanes may represent onlyevents that both are of one of the plurality of event types and thatalso satisfy the global constraint.

In some instances, the method may also include receiving a requestidentifying a further constraint that events assigned to buckets includeonly those events related to a particular asset or a particular user;and representing, in the displayed swim lanes, only events that both areof one of the plurality of event types and that also are related to theparticular asset or the particular user.

In some instances, the method may also include, for an event type of theplurality of event types, retrieving the set of events from atime-series data store, wherein the retrieved events include raw data,machine data, unstructured data, or transformed raw data.

An event assigned to a bucket of the set of buckets represented in oneof the generated swim lanes may include summarized data derived using adata reduction technique. An event assigned to a bucket of the set ofbuckets represented in one of the generated swim lanes may include anotable event or an alert.

In some instances, the method may also include receiving a selection ofone or more buckets and receiving input indicative of a request that anotable event or alert corresponding to the selected one or more bucketsbe created. The method can further include creating the notable event oralert corresponding to the selected one or more buckets.

The details of one or more embodiments of the invention are set forth inthe accompanying drawings and the description below. Other features,aspects, and advantages of the invention will become apparent from thedescription, the drawings, and the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is described in conjunction with the appendedfigures:

FIG. 1 shows a block diagram of an embodiment of a data managementinteraction system;

FIG. 2 shows a block diagram of an embodiment of a visualization system;

FIGS. 3A and 3B show examples of swim-lane visualizations;

FIG. 4 illustrates a flowchart of an embodiment of a process forgenerating a visualization indicative of events' timings;

FIG. 5 shows an example of an interface for customizing a swim-lanevisualization;

FIGS. 6A and 6B illustrate flowcharts of embodiments of processes forpresenting bucket details;

FIG. 7 illustrates a flowchart of an embodiment of a process fordefining notable events;

FIG. 8 illustrates an example of a swim-lane visualization with bucketselection;

FIG. 9 illustrates examples of information pertaining to a set ofnotable events;

FIG. 10 shows a block diagram of an embodiment of a data intake andquery system;

FIG. 11 illustrates a flowchart of an embodiment of a process forstoring collected data;

FIG. 12 illustrates a flowchart of an embodiment of a process forgenerating a query result;

FIG. 13 illustrates a flowchart of an embodiment of a process for usinga data model to generate a query; and

FIG. 14 illustrates a flowchart of an embodiment of a process for usingintermediate information summaries to accelerate the generation ofreports that a query indicates is intended to be periodically run andupdated with new data.

Like reference numbers and designations in the various drawings indicatelike elements.

DETAILED DESCRIPTION

The ensuing description provides preferred exemplary embodiment(s) onlyand is not intended to limit the scope, applicability or configurationof the disclosure. Rather, the ensuing description of the preferredexemplary embodiment(s) will provide those skilled in the art with anenabling description for implementing a preferred exemplary embodiment.It is understood that various changes can be made in the function andarrangement of elements without departing from the spirit and scope asset forth in the appended claims.

Referring first to FIG. 1, a block diagram of an embodiment of a datamanagement interaction system 100 is shown. A client 105 can include aparty that can define and/or control details as to how events are to becollected, identified or used to extract field values. A view 115 caninteract with a visualization system 150 to access information about theevents (e.g., when the events, or a subset of the events, occurred).

A client 105 and/or user 115 can interact with a data intake and querysystem 145 and/or a visualization system 150 via a respective device 110and/or 120 and a network 140. Data intake and query system 145 and thevisualization system 150 can be directly connected, integrated into asame system, or communicate via network 140. Network 140 can include theInternet, a wide area network (WAN), local area network (LAN) or otherbackbone. It will be understood that, although only one client 105 anduser 115 are shown, system 100 can include multiple clients 105 and/orusers 115.

Client device 110 and/or user device 120 can each be a single electronicdevice, such as a hand-held electronic device (e.g., a smartphone). Itwill be understood that client device 110 and/or user device 120 canalso include a system that includes multiple devices and/or components.The device(s) 110 and/or 120 can comprise a computer, such as thedesktop computer, a laptop computer or a tablet. In some instances, aparty 105 and/or 115 uses different devices at different times tointeract with visualization system 150.

User 115 can utilize visualization system 150 in order to view events'absolute and relative timings. The visualization can include a pluralityof swim lanes, each corresponding to a certain type of event (e.g., eachswim lane displaying events meeting specified criteria) over a timerange defined by a time axis along which the swim lane runs. Within aswim lane, a set of buckets identifies when events in each of thebuckets occurred. In an exemplary embodiment, buckets can hold aplurality of events, and a face of a displayed bucket (e.g., its coloror color shade) indicates the number of events in that bucket. In analternative embodiment, there is a one-to-one mapping between bucketsand events, with each bucket corresponding to exactly one event.

To display the events that the software plots in a swim lane, a querycan be generated and executed. The query can specify criteria to use forthe selection of events to display in a given swim lane, therebydefining the event type for that swim lane. Such criteria may specifyselection of events having a particular keyword or keywords and/or afield or fields with a particular value or values. Because the swim lanedisplays qualifying events that occur in the time range displayed forthe swim lane, the query may likewise specify corresponding timecriteria for the selection of events.

As noted, the visualization may include a plurality of swim lanesdisplaying events of different types in different lanes. This enables adata analyst to easily discover and make sense of correlations andpatterns between when events of different types occur. Such correlationsand patterns enable the data analyst to make sense of their data. As inother fields, this can be useful in understanding computer securityrisks (e.g., to identify abnormal event patterns, or event patternspreceding security breaches).

As noted, a query may define the criteria for events to represent in agiven swim lane. The intake and query system 145 may have responsibilityfor processing such a query by retrieving the events meeting thespecified criteria—the event type—for a given swim lane and providingthe events for display to the visualization system 150.

Exemplary Systems for Generating, Storing and Retrieving Events

As noted, the swim lanes of the present invention may display on atimeline the timing of a variety of different types of events. SPLUNK®ENTERPRISE, which is software produced and sold for on-premise and clouduse by Splunk Inc. of San Francisco, Calif., provides an exemplarysystem for generating, storing, and retrieving events that can providethe functionality of the data intake and query system 145. While SPLUNK®ENTERPRISE can turn almost any time series data into events of the typethat can be visualized by the methods of the present invention, it hasgained particular appeal in the market for deriving events fromunstructured data and machine data. It is the leading software forproviding real-time operational intelligence, enabling organizations tocollect, index, and harness machine-generated big data coming from thewebsites, applications, servers, networks, and mobile devices that powertheir businesses.

At a high level, SPLUNK® ENTERPRISE may take raw data, unstructureddata, or machine data such as a Web log, divide the data up intosegments, and optionally transform the data in these segments to producetime-stamped events. The software derives the time stamp for each eventby extracting it from the event data itself or by interpolating anevent's time stamp relative to other events for which the software canderive a time stamp. SPLUNK® ENTERPRISE then stores the events in atime-series data store against which it can run queries to retrieveevents meeting specified criteria, such as having certain keywordsand/or having certain value(s) for certain defined field(s).

SPLUNK® ENTERPRISE is particularly noteworthy for employing a so-calledlate-binding schema. As noted, an event in SPLUNK® ENTERPRISE typicallycontains an entire segment of raw data (or transformed version of such).To run queries against events other than those involving keywordsearches, a schema can be developed. Such a schema may include one ormore fields. Each field may be defined for a subset of the events in thedata store and specify how to extract a value from each of the subset ofevents for which the field has been defined. The extraction rule for afield is often done using a regular expression (regex rule), and it isassociated with a logical type of information that is contained withinan event for which it is defined. The term “late-binding schema” refersto a system such as in SPLUNK® ENTERPRISE where the schema is notdefined at index time as with database technology; rather, in a systeminvolving late-binding schema, the schema can be developed on an ongoingbasis up until the time it needs to be applied (which is query time, asa query often specifies the criteria for events of interest in terms ofevents having specified value(s) for specified field(s)). As a dataanalyst learns more about the data in stored events, in a late-bindingschema, he can continue to develop the schema up until the next time itis needed for a query.

Because SPLUNK® ENTERPRISE maintains the underlying raw data and enablesapplication of a late-binding schema, it has great power to enableinvestigation of issues that arise as a data analyst learns more aboutthe data stored in the system's events.

Splunk Inc. also produces a number of applications that run on top ofthe SPLUNK® ENTERPRISE platform to provide additional functionality forapplications in particular fields. One such example is the SPLUNK® APPFOR ENTERPRISE SECURITY, which provides additional functionality toassist in identifying computer and network security threats from thedata ingested and stored by SPLUNK® ENTERPRISE. Besides providingfunctionality to help with schema creation for data coming fromparticular data sources popular in the computer and network securitycontext, the SPLUNK® APP FOR ENTERPRISE SECURITY also provides uniquevisualizations for discovering security threats and enables the creationof so-called “notable events.”

A “notable event” can be generated in SPLUNK® APP FOR ENTERPRISESECURITY in two ways: (1) a data analyst may manually identify a groupof two or more events as notable because of some correlation among theevents that piqued the analyst's concern, and the manually identifiedset of events is the notable event, or (2) criteria can be specifiedthat is met by a combination of two or more events, and the set ofevents that together meet the criteria is the notable event. Optionally,in this latter example, a data analyst may generate a query specifyingthe criteria for a notable event, and every time a group of two or moreevents satisfies the criteria, the software generates a notable event; aquery of this type is referred to as a “correlation search.” It will beappreciated that notable events generated using one or both of thesetechniques can be represented in a given visualization.

As noted, the types of events to which the visualization methods of thepresent invention may be applied include any of the types of events ornotable events generated by SPLUNK® ENTERPRISE and the SPLUNK® APP FORENTERPRISE SECURITY.

Exemplary SIEM Systems for Generating, Storing, and Retrieving Events

While utilizing events including raw data (or transformed raw data) mayprovide advantages, the events that can be visualized using the methodsof the present invention can also include any other logical piece ofdata (such as a sensor reading) that was generated at or corresponds toa fixed time (thereby enabling association of that piece of data with atime stamp representing the fixed time). Another exemplary source ofevents in the computer and network security space involves the kinds ofevents generated and analyzed by vendors in the Security Information andEvent Management (“SIEM”) field. These vendors produce software thatcompetes with the SPLUNK® APP FOR ENTERPRISE SECURITY.

SIEM vendors have a significant disadvantage. Their software does notretain the entire underlying raw data, nor does it employ a late-bindingschema. Rather, at index time, raw data may be divided into segments anda time-stamp derived, as in SPLUNK® ENTERPRISE. But these raw datasegments are then processed to extract values for a limited set offields that are defined for each segment prior to index time. In amethod referred to as data reduction, STEM software then throws away theunderlying raw data once values have been extracted for the fields thatwere defined prior to index time. If it becomes important to look atunderlying data later as data issues are discovered, STEM softwarecannot provide that capability. Nonetheless, each set of values forfields extracted from a given time-stamped segment may comprise atime-stamped event.

Analogous to the notable events of SPLUNK® APP FOR ENTERPRISE SECURITY,STEM software may generate so-called “alerts” when combinations of twoor more of their data-reduced events are manually identified or meetspecified criteria (such criteria may be defined by a so-called “rule,”which is analogous to the correlation searches of SPLUNK® APP FORENTERPRISE SECURITY).

The events that the methods of the present invention may help tovisualize may also include the kinds of data-reduced events and alertsthat are produced by STEM software.

Referring next to FIG. 2, a block diagram shows an embodiment ofvisualization system 150. Visualization system 150 can be present on adevice (e.g., 110 or 120), run in the cloud, or run in some combinationof cloud and on-premise software.

Exemplary Visualization System

Visualization system 150 includes a swim-lane query engine 205 thatdefines a type of event that will be represented in each swim lane andgenerates a query that, when executed, will collect events for the swimlane. The event-type definitions can be based on input (e.g., from user115). The user may specify event-type definitions for a swim lane in oneof two ways: (1) by typing in a query specifying the criteria for theevents to display in a swim lane, or (2) providing input into a userinterface that enables the user to enter criteria for predefined fieldsof a data model that defines fields for a particular subset of events inthe system, enabling the system to then automatically create a querythat defines the event-type for a swim lane from the entered criteria.

Typically, an event-type definition for a swim lane specifies much ofthe criteria for selecting events for a swim lane using a combination ofcriteria involving key words and/or a specified value or values for aspecified field or fields. But the user may also have the option ofsupplementing the event-type definition for each swim lane with anoptional global event limiter that specifies criteria filtering out allevents in all swim lanes except those somehow meeting a specificadditional criterion (in FIG. 3A, for example, the top of the screenshows that all events in all swim lanes are somehow related to aparticular user, cnoel; this instead could have been a global limiter,for example, specifying criteria for filtering all events except thosesomehow related to a particular asset, such as all events—regardless ofuser—related to use of a particular server). Such global criteria isjust another criterion that could have been applied to qualify eventsonly within a particular swim lane but instead is applied to all eventsacross all swim lanes, and a user interface can be provided enabling auser to specify such global limiter criteria.

A time-period definer 210 can identify a time range to be represented ina visualization. The time range may be defined based on user input orcan be set to a default value. Again, time-range options can bepresented to a user, and a selected option can be used to define thetime range.

Using an event-type definition, and supplemented by a time rangespecified by the user in time-period definer 210 and/or a global eventlimiter criterion as specified above, swim-lane query engine 205 cangenerate a query to collect events of the defined event type that alsomeet the time range and any specified global criterion limiter. Thequery can be transmitted to data intake and query system 145 to retrieveevents to display in the swim lane.

Upon receiving the events, swim-lane query engine 205 can save theresults in an event data store 215 with an identifier of which swim laneis to display the events.

A bucket engine 220 can define how the buckets represent sets of events.Buckets can be configured to exactly one event or can be configured tohold any number of events. In the latter case, bucket engine 220 canidentify how to divide the time view into bucket periods. For example,the time view can be divided into a fixed number of bucket periods, orbucket periods can have a fixed duration. All displayed buckets may havea fixed size, which may in turn be determined either to correspond to acertain amount or percentage of time relative to the timeline or so thatbuckets contain no more than a certain number or percentage of events.In some instances, bucket periods depend on how many events fall withinthe time view.

Bucket engine 220 can then, for each swim lane, assign each of the swimlane's events to a bucket. Events can be assigned in a manner such thatthe events assigned to a bucket match the bucket's time. For one-to-oneevent-to-bucket assignments, the bucket time can be the same as theevent time. For buckets configured to hold more than one event, thebucket can contain all events whose time stamp falls with a period oftime represented by the bucket. Bucket engine can store informationabout the buckets and event assignments in a bucket data store 225. Foreach bucket, stored information can include an identifier of the bucket,an identifier of a swim lane in which to display the bucket, anidentifier of events assigned to the bucket, and/or the bucket's timerange.

A preference engine 230 can identify preferences pertaining to avisualization showing the swim lanes. The preferences can include whichlanes to include in the visualization and/or an order of the lanes. Thepreferences can identify details as to how buckets are to be represented(e.g., colors or textures or the representations). The preferences canbe based on user input specifying the preferences. Default settings canbe used if appropriate inputs corresponding to preference identificationhave not been received.

Using the preferences and bucket data, a visualization engine 235 cangenerate a visualization that includes swim lanes. Each swim lane caninclude events of a type determined by swim-lane query engine 205. Foreach swim lane, visualization engine 235 can select buckets from bucketdata store 225 that are associated with the swim lane. The swim lane canextend along a first axis (e.g., a horizontal axis), and buckets can berepresented at positions along the first axis representative of thebucket's time. The swim lanes can be aligned parallel to each other,stacked on top of each other above the timeline axis. Thus, a user maybe able to visually determine how timing of events represented in oneswim lane compare to timing of events represented in another swim lane.

Visualization engine 235 can order the swim lanes in accordance withpreferences set by a user. A user may have the ability through thevisualization interface to re-arrange the order of the parallel swimlanes, dragging and dropping them to adjust the order above the timelineaxis. Such re-ordering abilities enable a user to place two swim lanesrepresenting two different event types of interest next to each other toaid in temporal comparison.

FIGS. 3A and 3B show examples of swim-lane visualizations. In theseparticular visualizations, all represented events have the optionalglobal criterion limiter limiting the events to those associated with aspecific user “cnoel” (again, such a global criterion limiter isoptional and may be definable by the user through a variety of userinterface tools). The visualization includes a plurality of swim lanes305, each of which pertains to a different event type. Controls 310 and320 together allow a user to select a time period of interest. In thedepicted visualization, the time period in control 310 is set for“Today.” The time view selector 320 allows the user to specify a timeview within the time period set by control 310. In the depictedinstance, the bottom bar of the selector can be slid along the timeperiod, and the selector can be expanded or contracted using the sidehandles on the selector. Events of types corresponding to swim lanesthat are within the time period can then be retrieved, and swim laneswill display events that are within the selected range.

A bottom population graph 315 shows a time plot of a time-varying countof all retrieved events (e.g., all events of types corresponding to thetime period). It will be appreciated that the population graph may, inother embodiments, represent other time-varying counts (e.g., of eventsof a single type, or of more events than are represented by the swimlanes).

Events can be represented by buckets in the swim lanes. Thevisualization shows representations of buckets 325 as being verticalbars. The entire horizontal length of the swim lanes correspond to theselected time view. Thus, it will be appreciated that, in this instance,all swim lanes represent events with time stamps within a same timeview. (In alternative embodiments, the visualization may be configuredto allow time views to be set for individual swim lanes.) The intensityof the color of a bucket (or its color or color shade) indicates thenumber of events held by the bucket. In the depicted visualization,darker color shades represent more events. A fixed color scaling (e.g.,globally fixed or fixed given a particular time-range duration) can beused to determine the intensity, or the intensities may be distributedin a normalized manner, to ensure that differences in colors can berecognized regardless of absolute event-assignment numbers.

FIG. 4 illustrates a flowchart of an embodiment of a process 400 forgenerating a visualization indicative of a swim lane view of the timingof events. Process 400 begins at block 405, where swim-lane query engine205 defines a plurality of event types for a plurality of swim lanes.The event type definition can be a query either entered by the user orgenerated through a data modeling user interface.

Time-period definer 210 identifies a time view at block 410. The timeview can be defined based on a user input, which can include, e.g.,identification of a relative time (e.g., last 24 hours) or absolutetime, perhaps entered through user interface controls such as 310 and320. The time view can include a portion (or all) of a time period,where the time period corresponds to one used to indicate which eventsto retrieve from a data store.

For each of the defined event types, at block 415, swim-lane queryengine 205 accesses events of the defined type with time stamps fallingwithin the time period specified by the time view. Specifically,swim-lane query engine 205 can generate a query to locate events thatare of the event type within the specified time period. The query can besent to a data intake and query system 145, and results can be receivedfrom the system 145. Swim-lane query engine 205 can store the results inevent data store 215. Bucket engine can then access, from event datastore 215, events within the time view.

Bucket engine 220 generates buckets with bucket times corresponding tothe event times at block 420. The buckets can be accessed if an existingbucket associated with the event type and having a time corresponding to(e.g., including) the bucket time already exists and has not met athreshold number of events (if such a threshold exists). Otherwise, anew bucket can be generated (e.g., having a bucket time that equals theevent time or having a bucket time window that includes the event time).

Bucket engine 220 assigns the events to the corresponding buckets atblock 425. The assignment can include associating an identifier of theevent with an identifier of the bucket and/or incrementing an eventcount of the bucket. Bucket engine 220 counts events assigned to eachbucket at block 430.

Visualization engine 235 generates a swim lane representing the bucketsat block 435. The swim lane can extend along an axis and position bucketrepresentations at positions representing the bucket times. Bucketrepresentations can include one or more shared characteristic (e.g., asize, color, and/or orientation) and, in some instances, can include avarying characteristic (e.g., a color intensity or size) that depends onevents held by the bucket. For example, the varying characteristic candepend on how many events are in the bucket or whether any event in thebucket includes a particular feature. Blocks 415-435 can be performedfor each event type.

Visualization engine 235 generates a visualization with the swim lanesat block 440. The swim lanes can be aligned in the visualization to aidin comparison of bucket times. Blocks 410-440 can be repeated for a newtime view. Such repetition can occur, e.g., after detecting an inputcorresponding to an identification of a new time view. The generation ofa new visualization can include modification of an existingvisualization.

Exemplary Visualization Customization

The visualization can be customized based on user preferences. Forexample, FIG. 5 shows an example of an interface for customizing aswim-lane visualization. The user can set a color for bucketsrepresented in each lane. The user can further check or uncheck boxes toindicate that a lane corresponding to the listed event type is to beincluded in a visualization.

Predefined collections of swim lanes can be defined and selected aswell. This is shown in the top part of the selector. If a particularcollection is selected, those swim lanes associated with that collectionwill be checked in the lower part of the selector and then displayed inthe visualization. The “custom” collection enables the turning on andoff of each individual swim lane that has been previously defined.

Exemplary Bucket-Specific Event Detail Representations

Returning to FIG. 2, an event detailer 240 can access bucket data andevent data in order to collect further detail about events held by anygiven bucket. This detail may be presented upon detecting a selection orview of any particular bucket or group of buckets.

For example, in FIGS. 3A and 3B, if a user hovers over a bucketrepresentation, a hover window 330 appears that indicates the bucket'stime and concise information about event(s) in the bucket (e.g.,identification of one or more assets (e.g., devices) corresponding tothe events, identification of one or more accounts corresponding to theevents, a number of assets corresponding to the events, a number ofaccounts corresponding to the events and/or a number of events in thebucket).

When a user clicks on a bucket, details pertaining to the bucket may beshown in a sign board 335. The details can include, e.g., times of theevent(s) in the bucket, identification of one or more assets (e.g.,devices) corresponding to the events, identification of one or moreaccounts corresponding to the events, identification of one or more useridentifiers corresponding to the events, a number of assetscorresponding to the events, a number of accounts corresponding to theevents and/or a number of events in the bucket. Details shown in thesign board may vary depending on whether a single event is held by thebucket or whether many events are held. In the former case, field valuesfor the event or the event itself may be show in the sign board. FIG. 3Ashows an example of a sign board presenting detail for a bucket holdinga single event. In the latter case, in addition or instead of suchdetails, population information based on the events in the bucket can bepresented (e.g., counts or unique values).

FIG. 3B shows an example of a sign board presenting detail for a bucketholding multiple events. In some instances, a user may be able to drilldown into any particular event by clicking on its representation in thesign board, which may cause more detail about the event to be presentedor may cause the event itself to be presented.

If a user selects a group of buckets, the sign board 335 may presentoverview details pertaining to the group of selected buckets (such asthe number of events contained in all the selected buckets together).

In response to selecting a bucket, a swim lane, or some otheruser-interface control, the software may leave the swim lane view andpresent a drill-down view of the selected information. If the selectionwas a drill down of a bucket, the view may just present the full detailsof the underlying events themselves (and perhaps even the query thatwould generate the events in the selected bucket or the query for theswim lane). If the selection was a drill down of the whole swim lane,the view may again present the full details of all the underlying eventsin the swim lane. Alternatively, the drill down may be some alternativevisualization, or it may be a set of events or visualization that givefurther information and context than what was originally in the swimlane, equating to a query different than the one that generated the swimlane. The user may have the option of what kind of drill down to showbased on selections in a swim lane, of a swim lane, or selections ofevents across multiple swim lanes. The point is that drill down enablesdeeper exploration of the information in a swim lane, though what ismost valuable to show is context dependent on the types of events shownin the swim lanes.

FIGS. 6A and 6B illustrate flowcharts of embodiments of processes 600 aand 600 b for presenting bucket details. At blocks 605 and 655, eventdetailer 240 receives an input corresponding to an identification of abucket. The input can include, e.g., an identification that a bucket hasbeen clicked on or hovered over and can further identify the bucket.Using the bucket identification, event detailer 240 can retrieveinformation about the bucket from bucket data store 225. The informationcan include, e.g., the bucket's time (e.g., which can include a timerange) and can include an identification of events assigned to thebucket. Event detailer 240 can retrieve information about the identifiedevents from event data store 215. In some instances (e.g., at block665), entire events are retrieved from event data store 215.

Visualization engine 235 presents information about events assigned tothe bucket at blocks 615 and 670. The information can include part orall of one or more events assigned to the bucket. FIGS. 3A-3B showexamples of a hover window 330 and a sign board 335 showing eventdetails. The type of information that is presented can depend on anumber of events assigned to the bucket (e.g., one or multiple), thetype of input (e.g., hover or click) and/or a type of event.Alternatively, drill down views can differ in the ways previouslymentioned.

Exemplary Definitions of Notable Events

FIG. 7 illustrates a flowchart of an embodiment of a process 700 fordefining a notable event. Process 700 begins at block 705, whereswim-lane query engine 205 detects input corresponding to anidentification of a plurality of buckets. The plurality of buckets canbe within a single lane or in a set of lanes. The input can include aselection of individual buckets or a selection of an area that includesthe buckets.

FIG. 8 illustrates an example of a swim-lane visualization withselection of a group of buckets. In this depiction, 20 buckets across 5lanes have been selected. The ability to reorder lanes can enable a userto align lanes of interest prior to defining such multi-lane buckets.

At block 710, data for the selected buckets is retrieved and may bedisplayed in a hover box and/or sign board. At block 715, the set ofevents in the selected group of buckets is defined as a notable event.Thereafter, a bucket can be added to the top notable-event swim lane torepresent the new notable event. The notable event can be named, e.g.,according to a name received as an input. An urgency state can also beassigned to the event and can be based on received input identifying thestate. These statuses can then allow visualizations to include swimlanes with only those notable events at or above a particular urgencystate (e.g., medium or high). FIG. 9 provides a display of previouslydefined notable events and the information about each of the displayednotable events.

Exemplary Systems for Generating, Storing and Retrieving Events

As noted above, the visualization techniques described herein can beapplied to a variety of types of events, including those generated andused in SPLUNK® ENTERPRISE. Further details of underlying architectureof SPLUNK® ENTERPRISE are now provided.

FIG. 10 shows a block diagram of SPLUNK® ENTERPRISE's data intake andquery system, which provides an exemplary embodiment of a data intakeand query system 145. Generally, the system 145 includes one or moreforwarders 1010 that collect data from a variety of different datasources and forwards the data to one or more indexers 1015. The datatypically includes streams of time-series data. Time-series data refersto any data that can be segmented such that each segment can beassociated with a time stamp. The data can be structured, unstructured,or semi-structured and can come from files and directories. Unstructureddata is data that is not organized to facilitate the extraction ofvalues for fields from the data, as is often the case with machine dataand web logs, two popular data sources for SPLUNK® ENTERPRISE.

FIG. 11 is a flowchart of a process that indexers 1015 may use toprocess, index, and store data received from the forwarders 1010. Atblock 1105, an indexer 1015 receives data from a forwarder 1010. Atblock 1110, the data is segmented into events. The events can be brokenat event boundaries, which can include character combinations and/orline breaks. In some instances, event boundaries are discoveredautomatically by the software, and in other instances, they may beconfigured by the user.

A time stamp is determined for each event at block 1115. The time stampcan be determined by extracting the time from data in the event or byinterpolating the time based on time stamps from other events. Inalternative embodiments, a time stamp may be determined from the timethe data was received or generated. The time stamp is associated witheach event at block 1120. For example, the time stamp may be stored asmetadata for the event.

At block 1125, the data included in a given event may be transformed.Such a transformation can include such things as removing part of anevent (e.g., a portion used to define event boundaries) or removingredundant portions of an event. A client may specify a portion to removeusing a regular expression or any similar method.

Optionally, a key word index can be built to facilitate fast keywordsearching of events. To build such an index, in block 1130, a set ofkeywords contained in the events is identified. At block 1135, eachidentified keyword is included in an index, which associates with eachstored keyword pointers to each event containing that keyword (orlocations within events where that keyword is found). When akeyword-based query is received by an indexer, the indexer may thenconsult this index to quickly find those events containing the keywordwithout having to examine again each individual event, thereby greatlyaccelerating keyword searches.

The events are stored in a data store at block 1140. The data can bestored in working, short-term and/or long-term memory in a mannerretrievable by query. The time stamp may be stored along with each eventto help optimize searching the events by time range.

In some instances, the data store includes a plurality of individualstorage buckets, each corresponding to a time range. An event can thenbe stored in a bucket associated with a time range inclusive of theevent's time stamp. This not only optimizes time based searches, but itcan allow events with recent time stamps that may have a higherlikelihood of being accessed to be stored at preferable memory locationsthat lend to quicker subsequent retrieval (such as flash memory insteadof hard-drive memory).

As shown in FIG. 10, data stores 1020 may be distributed across multipleindexers, each responsible for storing and searching a subset of theevents generated by the system. By distributing the time-based bucketsamong them, they can find events responsive to a query in parallel usingmap-reduce techniques, each returning their partial responses to thequery to a search head that combines the results together to answer thequery. This query handling is illustrated in FIG. 12.

At block 1205, a search heard receives a query from a search engine. Atblock 1210, the search head distributes the query to one or moredistributed indexers. These indexers can include those with access todata stores having events responsive to the query. For example, theindexers can include those with access to events with time stamps withinpart or all of a time period identified in the query. At block 1215, oneor more indexers to which the query was distributed searches its datastore for events responsive to the query. To determine events responsiveto the query, a searching indexer finds events specified by the criteriain the query. This criteria can include that the events have particularkeywords or contain a specified value or values for a specified field orfields (because this employs a late-binding schema, extraction of valuesfrom events to determine those that meet the specified criteria occursat the time this query is processed). It should be appreciated that, toachieve high availability and to provide for disaster recovery, eventsmay be replicated in multiple data stores, in which case indexers withaccess to the redundant events would not respond to the query byprocessing the redundant events. The indexers may either stream therelevant events back to the search head or use the events to calculate apartial result responsive to the query and send the partial result backto the search head. At block 1220, the search head combines all thepartial results or events received from the parallel processing togetherto determine a final result responsive to the query.

Data intake and query system 145 and the processes described withrespect to FIGS. 10-12 are further discussed and elaborated upon inCarasso, David. Exploring Splunk Search Processing Language (SPL) Primerand Cookbook. New York: CITO Research, 2012 and in Ledion Bitincka,Archana Ganapathi, Stephen Sorkin, and Steve Zhang. Optimizing dataanalysis with a semi-structured time series database. In SLAML, 2010.Each of these references is hereby incorporated by reference in itsentirety for all purposes.

Data Modeling and Associated User Interface for Defining Event Types forSwim Lanes

As noted, the query defining the event type for a swim lane may beentered by a user by simply typing in a query. But in alternativeembodiments, a user-interface based on data modeling may provide a userwith a simpler way to specify an event type for a swim lane withouthaving to know a query language Such a user interface could be generatedby a data-model engine 245.

A data model pertaining to a set of events may contain a set ofsub-models. Typically, a data model may be set up by a data analystfamiliar with the information contained in the events to make it easierfor other, less technical users to create and run queries on that dataand generate reports from that data.

Specifically, a given sub-model defines a schema for a subset of theevents in the data store. More specifically, it defines one or morefields and the subset of events in the data store to which those fieldscan be applied. As with other schema, each field is defined by anextraction rule specifying how to extract a value for that field fromeach of the events for which that field has been defined (the extractionrules are often defined by regular expressions, or regexes, but theyneed not be).

The sub-models in a data model may be arranged in a hierarchy presentedin a user interface, with each sub-model being user selectable. A lowerlevel sub-model further constrains the schema from a sub-model higher inthe hierarchy by either adding additional fields or narrowing the set ofevents to which fields higher in the hierarchy can be applied. Selectionof a sub-model constrains any subsequent search to the set of events andfields associated with that sub-model.

A particularly useful application of this data modeling concept is tomake it easier for nontechnical users to create searches without havingto learn the search language for the data store. Once a data model hasbeen set up, a graphical data model hierarchy may be presented. If theuser selects a particular sub-model, a user-interface will be presentedthat displays the various fields defined for the particular sub-model.Through a nice user interface, the user can then specify criteria forthose predefined fields in the sub-model. A query will then beautomatically generated that will search only those events associatedthe sub-model (and for which the fields presented in the UI weredefined) and using the criteria specified for the fields through theuser interface. Changing a selection of a sub-model changes the set ofevents that can be searched and the fields for which criteria can beentered in the user interface to those fields and events associated withthe chosen sub-model.

In one embodiment, a user interface button may be presented that enablesthe user to turn a query generated through this data-modeling based userinterface into a query defining an event type for a swim lane.

Data modeling and the use of a user interface based on data models togather criteria from a user with which to automatically construct arelevant query is technology included in SPLUNK® ENTERPRISE version 6.0;it is also described in U.S. application Ser. No. 13/607,117, which ishereby incorporated by reference in its entirety for all purposes.

FIG. 13 is a flowchart of a process 1300 for using a data model togenerate a swim lane. At block 1305, data model engine 245 defines adata model or enables a user to define one. The data model includes aplurality of sub-models, each of which defines a set of fields. Thesefield definitions provide the ability to subsequently search events forevents that include particular values of a given field or for eventsthat include a particular field.

At block 1310, visualization engine 235 receives a selection of asub-model. For example, an initial user interface may presentrepresentations of sub-models. A user may select one by clicking on aparticular representation, entering a name of a sub-model, etc. In someinstances, the user may select a sub-model by selecting a field that isassociated with a particular sub-model.

At block 1315, visualization engine 235 creates a user interface basedon the selection of the sub-model. The interface may identify the set offields defined by the sub-model. The interface may further identify oneor more constraints on a given field. Thus, in some instances, a usermay be presented with a comprehensive set of values for a field (e.g., alist or range), such that the user can identify one or more values ofinterest for the field.

At block 1320, visualization engine 235 receives a criterion for each ofone or more fields for the sub-model through the user interface. Forexample, the user may select a value for a field (e.g., which caninclude selecting one or more endpoints of a range). The identificationof the criterion can itself be indicative that the criterion is to beused to define an event type for a swim lane, or a separate indicationof such may be received. For example, after identifying one or morefield values or ranges, a user may indicate that the criterion iscomplete and/or that the criterion is to be used to collect events to berepresented in a particular swim lane (e.g., swim lane #2).

At block 1325, swim-lane query engine 205 generates a query defining anevent type. This may be done in response to a user indicating that thequery should be used as the basis for a swim lane. The definition isbased on the criterion received in block 1320 and a definition of one ormore corresponding fields in the selected sub-model. For example, thequery may include an indication that events should be returned if theevent includes a particular value for a particular field. Retrievedevents can then be represented in a swim lane in a visualization asdescribed in detail herein.

Accelerating Swim Lane Generation by Using Intermediate Query Summaries

SPLUNK® ENTERPRISE can accelerate some queries used to periodicallygenerate reports that, upon each subsequent execution, are intended toinclude updated data. To accelerate such reports, a summarization engineperiodically generates a summary of data responsive to the querydefining the report for a defined, non-overlapping subset of the timeperiod covered by the report. For example, where the query is meant toidentify events meeting specified criteria, a summary for a given timeperiod may include only those events meeting the criteria. Likewise, ifthe query is for a statistic calculated from events, such as the numberof events meeting certain criteria, then a summary for a given timeperiod may be the number of events in that period meeting the criteria.

Because the report, whenever it is run, includes older time periods, asummary for an older time period can save the work of having to re-runthe query on a time period for which a summary was generated, so onlythe newer data needs to be accounted for. Summaries of historical timeperiods may also be accumulated to save the work of re-running the queryon each historical time period whenever the report is updated.

A process for generating such a summary or report can begin byperiodically repeating a query used to define a report. The repeatedquery performance may focus on recent events. The summarization enginedetermines automatically from the query whether generation of updatedreports can be accelerated by creating intermediate summaries for pasttime periods. If it can, then summarization engine 250 periodicallycreates a non-overlapping intermediate summary covering new dataobtained during a recent, non-overlapping time period and stores thesummary in summary data store 255.

In parallel to the creation of the summaries, the query engine schedulesthe periodic updating of the report defined by the query. At eachscheduled report update, the query engine determines whetherintermediate summaries have been generated covering parts of the timeperiod covered by the current report update. If such summaries exist,then the report is based on the information from the summaries;optionally, if additional data has been received that has not yet beensummarized but that is required to generate a complete report, then thequery is run on this data and, together with the data from theintermediate summaries, the updated current report is generated. Thisprocess repeats each time an updated report is scheduled for creation.

As noted, this report acceleration method is used by SPLUNK® ENTERPRISE.It is also described in U.S. patent application Ser. No. 13/037,279,which is hereby incorporated by reference in its entirety for allpurposes.

This same report acceleration method can be used to accelerate a queryused to define the event type for a swim lane and gather the events forthat swim lane. Specifically, the time selector in the swim lanevisualization enables the user at any time to adjust the timeline axisto request a visualization including updated events from a recent timeperiod as well as events responsive to the event type for the swim lanefrom older time periods. So visualization engine 150 can accelerate swimlane generation by having a summarization engine 250 constantly createintermediate summaries covering discrete non-overlapping time periods ofevents that meet the event type definition for a swim lane. When a timerange is requested for a swim lane visualization, rather then re-runningthe whole query over the entire time period to find the events thatshould be displayed, the visualization engine can make use of theintermediate summaries for the query that cover time periods included inthe time period for which the visualization is requested.

FIG. 14 is a flow chart showing how to accelerate swim lane generationusing intermediate summaries. At block 1405, a query defining an eventtype for a swim lane is received. At block 1410, summarization engine250 repeatedly creates non-overlapping, intermediate summaries of eventsmeeting the event type definition for the swim lane. For example, dataintake and query system 145 can continuously or repeatedly collect data.Summarization engine 250 can then periodically create a new intermediatesummary to summarize recently collected data. Each summary can thereforebe associated with an event type and a time range that is indicative oftime stamps of events that are summarized in the summary.

In parallel, at block 1415, time-period definer 210 determines whether atime range for the swim-lane visualization has changed. In someinstances, a user may be viewing a visualization of a first time rangeand may then change the range to a second time range. In some instances,a user makes a new request to view a visualization based on a previousswim-lane definition. For example, queries for each of 5 swim lanes maybe defined. A user may view a visualization with a “last 24 hours” andthen close a program. If the user subsequently opens the program andrequests the visualization, the time range will have changed, and block1415 would be answered in the affirmative. In some instances, a usermakes no active change to a time range, but a previous definition of atime range is relative. For example, a user can indicate that the timerange is “last 24 hours”. The visualization may then update itselfperiodically to include new data. In preparation for each update, block1415's determination can be affirmative.

When the time range has changed, process 1400 continues to block 1420,where summarization engine 250 determines whether the new time rangeincludes time ranges covered by intermediate summaries of events for theevent type defining the swim lane. In some instances, this determinationincludes identifying a portion of the new time range not included in theprevious time range. It can then be determined whether this portion isincluded in time ranges of intermediate summaries.

When it is determined that an intermediate summary for the event type isassociated with a time range that includes a portion (e.g., any portionor a new portion) of the new time range, process 140 continues to block1425. There, summarization engine 250 collects one or more intermediatesummaries for the event type and associated with at least a portion ofthe time range. At block 1430, bucket engine 220 collects any new eventsnot summarized in collected summaries. Bucket engine 220 then combinesinformation from the collected summaries with information from the newevents. For example, in one instance, the collected summary tablesindicate time stamps of older events. Bucket engine can use thisinformation, as well as time stamps of the new events to generate a setof buckets, indicative of the combined events' time stamps.

At block 1440, visualization engine 235 generates a swim lane using thegrouped information. For example, the swim lane can represent bucketsincluding events represented in intermediate summaries and new events.When, at block 1420, summarization engine 250 determines that nosummaries exist pertaining to the new time range, process 1445 continuesto block 1445, where visualization engine 235 generates a swim laneusing only new events, as described herein.

It will be appreciated that process 1400 may be modified to omit blocks1430 and 1435. This modification may be appropriate when existingsummaries sufficiently or completely characterize events of the eventtype in the new time range.

Several embodiments disclosed herein indicate that a two-dimensionaldata object can be generated. For example, a scatter plot can compare anaccess count to an age since registration. It will be appreciated that,in some instances, the object can represent more than two dimensions.For visual presentations, a scatter plot could be enhanced such that asize, color, texture, and/or animation of individual points represents avalue of another dimension.

It will also be appreciated that disclosed embodiments could be extendedto allow a client to identify a specific notable event to be white- orblacklisted in a display of notable events. Such methods are describedin U.S. application Ser. No. 13/956,285, which is hereby incorporated byreference in its entirety for all purposes.

Exemplary Computer Architecture

Embodiments of the subject matter and the functional operationsdescribed in this specification can be implemented in digital electroniccircuitry, or in computer software, firmware, or hardware, including thestructures disclosed in this specification and their structuralequivalents, or in combinations of one or more of them. Embodiments ofthe subject matter described in this specification can be implemented asone or more computer program products, i.e., one or more modules ofcomputer program instructions encoded on a computer readable medium forexecution by, or to control the operation of, data processing apparatus.

The computer readable medium can be a machine readable storage device, amachine readable storage substrate, a memory device, a composition ofmatter effecting a machine readable propagated signal, or a combinationof one or more of them. The term “data processing apparatus” encompassesall apparatus, devices, and machines for processing data, including byway of example a programmable processor, a computer, or multipleprocessors or computers. The apparatus can include, in addition tohardware, code that creates an execution environment for the computerprogram in question, e.g., code that constitutes processor firmware, aprotocol stack, a data store management system, an operating system, ora combination of one or more of them. A propagated signal is anartificially generated signal, e.g., a machine generated electrical,optical, or electromagnetic signal, that is generated to encodeinformation for transmission to suitable receiver apparatus.

A computer program (also known as a program, software, softwareapplication, script, or code), can be written in any form of programminglanguage, including compiled or interpreted languages, and it can bedeployed in any form, including as a stand alone program or as a module,component, subroutine, or other unit suitable for use in a computingenvironment. A computer program does not necessarily correspond to afile in a file system. A program can be stored in a portion of a filethat holds other programs or data (e.g., on or more scripts stored in amarkup language document), in a single file dedicated to the program inquestion, or in multiple coordinated files (e.g., files that store oneor more modules, sub programs, or portions of code). A computer programcan be deployed to be executed on one computer or on multiple computersthat are located at one site or distributed across multiple sites andinterconnected by a communication network.

The processes and logic flows described in this specification can beperformed by one or more programmable processors executing one or morecomputer programs to perform functions by operating on input data andgenerating output. The processes and logic flows can also be performedby, and apparatus can also be implemented as, special purpose logiccircuitry, e.g., an FPGA (field programmable gate array) or an ASIC(application specific integrated circuit).

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computer. Generally, aprocessor will receive instructions and data from a read only memory ora random access memory or both. The essential elements of a computer area processor for performing instructions and one or more memory devicesfor storing instructions and data. Generally, a computer will alsoinclude, or be operatively coupled to receive data from or transfer datato, or both, one or more mass storage devices for storing data, e.g.,magnetic, magneto optical disks, or optical disks. However, a computerneed not have such devices. Moreover, a computer can be embedded inanother device, e.g., a mobile telephone, a personal digital assistant(PDA), a mobile audio player, a Global Positioning System (GPS)receiver, to name just a few. Computer readable media suitable forstoring computer program instructions and data include all forms ofnonvolatile memory, media, and memory devices, including by way ofexample semiconductor memory devices, e.g., EPROM, EEPROM, and flashmemory devices; magnetic disks, e.g., internal hard disks or removabledisks; magneto optical disks; and CD ROM and DVD ROM disks. Theprocessor and the memory can be supplemented by, or incorporated in,special purpose logic circuitry.

To provide for interaction with a user, architecture provider orreviewer, embodiments of the subject matter described in thisspecification can be implemented on a computer having a display device,e.g., a CRT (cathode ray tube) to LCD (liquid crystal display) monitor,for displaying information to the user and a keyboard and a pointingdevice, e.g., a mouse or a trackball, by which the user can provideinput to the computer. Other kinds of devices can be used to provide forinteraction with a user, architecture provider or reviewer as well; forexample, feedback provided to the user can be any form of sensoryfeedback, e.g., visual feedback, auditory feedback, or tactile feedback;and input from the user, architecture provider or reviewer can bereceived in any from, including acoustic, speech, or tactile input.

Embodiments of the subject matter described in this specification can beimplemented in a computing system that includes a back end component,e.g., as a data server, or that includes a middleware component, e.g.,an application server, or that includes a front end component, e.g., aclient computer having a graphical user interface or a Web browserthrough which a user can interact with an implementation of the subjectmatter described in this specification, or any combination of one ormore such back end, middleware, or front end components. The componentsof the system can be interconnected by any form or medium of digitaldata communication, e.g., a communication network. Examples ofcommunication networks include a local area network (“LAN”) and a widearea network (“WAN”), e.g., the Internet.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client server relationship to each other.

While this specification contains many specifics, these should not beconstrued as limitations on the scope of the invention or of what may beclaimed, but rather as descriptions of features specific to particularembodiments of the invention. Certain features that are described inthis specification in the context or separate embodiments can also beimplemented in combination in a single embodiment. Conversely, variousfeatures that are described in the context of a single embodiment canalso be implemented in multiple embodiments separately or in anysuitable subcombination. Moreover, although features may be describedabove as acting in certain combinations and even initially claimed assuch, one or more features from a claimed combination can in some casesbe excised from the combination, and the claimed combination may bedirected to a subcombination or variation of a subcombination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multitasking and parallel processingmay be advantageous. Moreover, the separation of various systemcomponents in the embodiments described above should not be understoodas requiring such separation in all embodiments, and it should beunderstood that the described program components and systems cangenerally be integrated together in a single software product orpackaged into multiple software products.

Thus, particular embodiments of the invention have been described. Otherembodiments are within the scope of the following claims. For example,the actions recited in the claims can be performed in a different orderand still achieve desirable results.

What is claimed is:
 1. A method, comprising: causing display of arepresentation of a timeline; concurrently causing display along therepresentation of the timeline of at least one graphical indicator thatrepresents a first set of events among a plurality of events, whereinthe first set of events is associated with a time frame within a timeperiod represented by the timeline, wherein one or more events in thefirst set of events is derived from raw data, each event in the firstset of events has an associated event time that occurs within theassociated time frame, the at least one graphical indicator is displayedat a position along the representation of the timeline corresponding tothe associated time frame; causing display of a second at least onegraphical indicator that represents a second set of events among theplurality of events, the second at least one graphical indicatordisplayed in a display area that is parallel with a display area inwhich the at least one graphical indicator is displayed; wherein thefirst set of events was generated by a first search query executedagainst the plurality of events and the second set of events wasgenerated by a second search query executed against the plurality ofevents, search criteria in the first search query differing from searchcriteria in the second search query; wherein the method is performed byone or more computing devices.
 2. The method of claim 1, wherein thefirst search query and the second search query both include searchcriteria requiring matching events to relate to a same particular useror to a same particular asset.
 3. The method of claim 1, wherein thefirst search query and the second search query both include searchcriteria requiring matching events to relate to a same particular user.4. The method of claim 1, wherein the first search query and the secondsearch query both include search criteria requiring matching events torelate to a same particular asset.
 5. The method of claim 1, furthercomprising: based on user input, rearranging a displayed order of theparallel display areas.
 6. The method of claim 1, further comprising: inresponse to receiving an input identifying a graphical indicator amongthe at least one graphical indicator that is associated with aparticular set of events, displaying additional information about one ormore events in the particular set of events.
 7. The method of claim 1,further comprising: in response to receiving an input identifying agraphical indicator among the at least one graphical indicator that isassociated with a particular set of events, displaying at least aportion of one or more events in the particular set of events.
 8. Themethod of claim 1, further comprising: receiving input corresponding toa selection of one or more graphical indicators of the at least onegraphical indicator; receiving input indicative of a request to create anotable event corresponding to events represented by the selected one ormore one or more graphical indicators; and based on receiving the inputindicative of the request, creating the notable event corresponding tothe events represented by the selected one or more graphical indicators.9. The method of claim 1, further comprising: receiving inputcorresponding to a selection of one or more graphical indicators of theat least one graphical indicator; receiving input indicative of arequest to create a notable event corresponding to events represented bythe selected one or more one or more graphical indicators; based onreceiving the input indicative of the request, creating the notableevent corresponding to the events represented by the selected one ormore graphical indicators; and assigning a name to the notable event.10. The method of claim 1, further comprising: receiving inputcorresponding to a selection of one or more graphical indicators of theat least one graphical indicator; receiving input indicative of arequest to create a notable event corresponding to events represented bythe selected one or more one or more graphical indicators; based onreceiving the input indicative of the request, creating the notableevent corresponding to the events represented by the selected one ormore graphical indicators; and assigning an urgency state to the notableevent.
 11. The method of claim 1, further comprising: receiving inputcorresponding to a selection of one or more graphical indicators of theat least one graphical indicator; receiving input indicative of arequest to create an alert corresponding to events represented by theselected one or more one or more graphical indicators; and based onreceiving the input indicative of the request, creating the alertcorresponding to the events represented by the selected one or moregraphical indicators.
 12. The method of claim 1, wherein one or moreevents in the first set of events is derived from machine data.
 13. Themethod of claim 1, wherein one or more events in the first set of eventsis derived from unstructured data.
 14. The method of claim 1, whereinone or more events in the first set of events includes a portion of rawmachine data.
 15. The method of claim 1, wherein one or more events inthe first set of events is associated with a time stamp and includes aportion of raw machine data.
 16. The method of claim 1, wherein the atleast one graphical indicator indicates a number of events in the firstset of events.
 17. The method of claim 1, wherein the at least onegraphical indicator indicates a number of events in the first set ofevents using color or color shading.
 18. The method of claim 1, whereinthe first set of events consists of a single event.
 19. The method ofclaim 1, wherein the at least one graphical indicator includes at leasttwo graphical indicators representing different sets of events among theplurality of events, and wherein the different sets of events havenon-overlapping time frames.
 20. The method of claim 1, wherein thefirst search query was executed against the plurality of events using alate-binding schema to generate the first set of events.
 21. The methodof claim 1, wherein the first search query was executed against theplurality of events to generate the first set of events using a searchacceleration technique.
 22. The method of claim 1, wherein an event inthe first set of events includes a notable event.
 23. The method ofclaim 1, wherein an event in the first set of events includes an alert.24. One or more non-transitory computer-readable storage media, storingone or more sequences of instructions, which when executed by one ormore processors cause performance of: causing display of arepresentation of a timeline; concurrently causing display along therepresentation of the timeline of at least one graphical indicator thatrepresents a first set of events among a plurality of events, whereinthe first set of events is associated with a time frame within a timeperiod represented by the timeline, wherein one or more events in thefirst set of events is derived from raw data, each event in the firstset of events has an associated event time that occurs within theassociated time frame, the at least one graphical indicator is displayedat a position along the representation of the timeline corresponding tothe associated time frame; causing display of a second at least onegraphical indicator that represents a second set of events among theplurality of events, the second at least one graphical indicatordisplayed in a display area that is parallel with a display area inwhich the at least one graphical indicator is displayed; wherein thefirst set of events was generated by a first search query executedagainst the plurality of events and the second set of events wasgenerated by a second search query executed against the plurality ofevents, search criteria in the first search query differing from searchcriteria in the second search query.
 25. The one or more non-transitorycomputer-readable storage media of claim 24, wherein the first searchquery and the second search query both include search criteria requiringmatching events to relate to a same particular user or to a sameparticular asset.
 26. The one or more non-transitory computer-readablestorage media of claim 24, further comprising: in response to receivingan input identifying a graphical indicator among the at least onegraphical indicator that is associated with a particular set of events,displaying additional information about one or more events in theparticular set of events.
 27. An apparatus, comprising: a subsystem,implemented at least partially in hardware, that causes display of arepresentation of a timeline; a subsystem, implemented at leastpartially in hardware, that concurrently causes display along therepresentation of the timeline of at least one graphical indicator thatrepresents a first set of events among a plurality of events, whereinthe first set of events is associated with a time frame within a timeperiod represented by the timeline, wherein one or more events in thefirst set of events is derived from raw data, each event in the firstset of events has an associated event time that occurs within theassociated time frame, the at least one graphical indicator is displayedat a position along the representation of the timeline corresponding tothe associated time frame; causing display of a second at least onegraphical indicator that represents a second set of events among theplurality of events, the second at least one graphical indicatordisplayed in a display area that is parallel with a display area inwhich the at least one graphical indicator is displayed; wherein thefirst set of events was generated by a first search query executedagainst the plurality of events and the second set of events wasgenerated by a second search query executed against the plurality ofevents, search criteria in the first search query differing from searchcriteria in the second search query.
 28. The apparatus of claim 27,wherein the first search query and the second search query both includesearch criteria requiring matching events to relate to a same particularuser or to a same particular asset.
 29. The apparatus of claim 27,further comprising: in response to receiving an input identifying agraphical indicator among the at least one graphical indicator that isassociated with a particular set of events, displaying additionalinformation about one or more events in the particular set of events.30. A method, comprising: causing display of a representation of atimeline; concurrently causing display along the representation of thetimeline of at least one graphical indicator that represents a first setof events among a plurality of events, wherein the first set of eventsis associated with a time frame within a time period represented by thetimeline, wherein one or more events in the first set of events includesa portion of raw machine data, each event in the first set of events hasan associated event time that occurs within the associated time frame,the at least one graphical indicator is displayed at a position alongthe representation of the timeline corresponding to the associated timeframe; causing display of a second at least one graphical indicator thatrepresents a second set of events among the plurality of events, thesecond at least one graphical indicator displayed in a display area thatis parallel with a display area in which the at least one graphicalindicator is displayed; wherein the first set of events was generated bya first search query executed against the plurality of events and thesecond set of events was generated by a second search query executedagainst the plurality of events, search criteria in the first searchquery differing from search criteria in the second search query; whereinthe method is performed by one or more computing devices.
 31. A method,comprising: causing display of a representation of a timeline;concurrently causing display along the representation of the timeline ofat least one graphical indicator that represents a first set of eventsamong a plurality of events, wherein the first set of events isassociated with a time frame within a time period represented by thetimeline, wherein one or more events in the first set of events isassociated with a time stamp and includes a portion of raw machine data,each event in the first set of events has an associated event time stampthat occurs within the associated time frame, the at least one graphicalindicator is displayed at a position along the representation of thetimeline corresponding to the associated time frame; causing display ofa second at least one graphical indicator that represents a second setof events among the plurality of events, the second at least onegraphical indicator displayed in a display area that is parallel with adisplay area in which the at least one graphical indicator is displayed;wherein the first set of events was generated by a first search queryexecuted against the plurality of events and the second set of eventswas generated by a second search query executed against the plurality ofevents, search criteria in the first search query differing from searchcriteria in the second search query; wherein the method is performed byone or more computing devices.
 32. A method, comprising: causing displayof a representation of a timeline; concurrently causing display alongthe representation of the timeline of at least one graphical indicatorthat represents a first set of events among a plurality of events,wherein the first set of events is associated with a time frame within atime period represented by the timeline, each event in the first set ofevents has an associated event time that occurs within the associatedtime frame, the at least one graphical indicator is displayed at aposition along the representation of the timeline corresponding to theassociated time frame; causing display of a second at least onegraphical indicator that represents a second set of events among theplurality of events, the second at least one graphical indicatordisplayed in a display area that is parallel with a display area inwhich the at least one graphical indicator is displayed; wherein thefirst set of events was generated by a first search query executedagainst the plurality of events and the second set of events wasgenerated by a second search query executed against the plurality ofevents, search criteria in the first search query differing from searchcriteria in the second search query, wherein the first search query wasexecuted against the plurality of events using a late-binding schema togenerate the first set of events; wherein the method is performed by oneor more computing devices.